Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2020, Vol. 54 Issue (11): 2149-2157    DOI: 10.3785/j.issn.1008-973X.2020.11.010
    
Log-based rich-semantic ABAC policy mining
Wen-chao WU(),Zhi-yu REN*(),Xue-hui DU
Information Engineering University, Zhengzhou 450001, China
Download: HTML     PDF(804KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

A log-based rich-semantic attribute-based access control (ABAC) policy mining method was proposed, to deal with fine-grained access control in large-scale information system, and to mine out readable, accurate and complete ABAC policy set, which is consistent with subject behavior profiles, so as to provide strong support for security administrator on constructing, maintaining and optimizing ABAC policy set. ABAC policies consistent with subject behavior are found out from access log and attribute data by frequent pattern mining in the proposed method. The rich-semantic ABAC policy set is obtained by correctness and semantic quality analysis. The accuracy and the completeness of the method were verified using cross-validation technique. The F1-score on public dataset was 0.8375, and that on handmade dataset was 0.9394. Validation on handmade dataset indicates that the method can mine policy set with higher quality than existing ones on small train set. The improvement of semantic quality of authorization rules is also proved on the handmade dataset.

Key wordsattribute-based access control (ABAC)      policy mining      access log      frequent pattern mining      rich-semantic policy     
Received: 23 November 2019      Published: 15 December 2020
CLC:  TP 309  
Corresponding Authors: Zhi-yu REN     E-mail: 3130104330@zju.edu.cn;ren_ktzy@163.com
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Wen-chao WU
Zhi-yu REN
Xue-hui DU
Cite this article:

Wen-chao WU,Zhi-yu REN,Xue-hui DU. Log-based rich-semantic ABAC policy mining. Journal of ZheJiang University (Engineering Science), 2020, 54(11): 2149-2157.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2020.11.010     OR     http://www.zjujournals.com/eng/Y2020/V54/I11/2149


基于日志的富语义ABAC策略挖掘

为了解决大规模环境下的细粒度访问控制问题,挖掘出易于人工阅读、契合主体行为模式、精确完备的基于属性的访问控制(ABAC)策略,从而为安全管理员进行策略构建、维护和优化提供有力支撑,提出基于日志的富语义ABAC策略挖掘方法. 该方法基于频繁模式挖掘算法,从访问日志和属性数据中挖掘契合主体行为模式的ABAC策略. 对策略进行正确性和语义质量分析获得富语义ABAC策略集. 通过交叉验证方法对策略集的精确性和完备性进行验证,算法在公开数据集上的F1得分为0.8375,在手写数据集上的F1得分为0.9394. 在手写数据集上的验证表明,算法可以在较小训练集上得到比现有算法更高质量的策略集,所得授权规则在易读性方面有所提升.


关键词: 基于属性的访问控制(ABAC),  策略挖掘,  访问日志,  频繁模式挖掘,  富语义策略 
Fig.1 Flow chart of LRSAPM algorithm
数据集信息 日志条目数量 主体数量 主体属性数量 客体数量 客体属性数量
Amazon-Employee 32769 4244 8 7519 1
HealthCare 2724 21 6 18 7
Tab.1 Dataset information about AmazonEmployee and HealthCare
Fig.2 Influence of parameter T on F1-score of two algorithms
Fig.3 Influence of parameter $K$ on F1-score of two algorithms
Fig.4 Influence of train set ratio on TPR/Recall of two algorithms
Fig.5 Influence of train set ratio on FPR of two algorithms
Fig.6 Influence of train set ratio on Precision of two algorithms
Fig.7 Influence of train set ratio on F1-score of two algorithms
数据集 算法 TPR/Recall FPR Precision F1-score
Amazon-Employee LRSAPM 0.9522 0.6200 0.7475 0.8375
Rhapsody 0.9906 0.0018 0.0114 0.0226
Health-Care LPSAPM 1 0 0.8858 0.9394
Rhapsody 0.9092 0.0186 0.6892 0.7833
Tab.2 Comparison of F1-score of two algorithms on two datatsets
[1]   SANDHU R S, SAMARATI P Access control: principle and practice[J]. IEEE Communications Magazine, 1994, 32 (9): 40- 48
doi: 10.1109/35.312842
[2]   王小明, 付红, 张立臣 基于属性的访问控制研究进展[J]. 电子学报, 2010, (7): 33
WANG Xiao-ming, FU Hong, ZHANG Li-chen Research progress on attribute-based access control[J]. Acta Electronica Sinica, 2010, (7): 33
[3]   房梁, 殷丽华, 郭云川, 等 基于属性的访问控制关键技术研究综述[J]. 计算机学报, 2017, 40 (7): 1680- 1698
FANG Liang, YIN Li-hua, GUO Yun-chuan, et al A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017, 40 (7): 1680- 1698
doi: 10.11897/SP.J.1016.2017.01680
[4]   DAS S, MITRA B, ATLURI V, et al. Policy engineering in RBAC and ABAC [M]// From database to cyber security. Cham: Springer, 2018: 24-54.
[5]   HU V, FERRAIOLO D, KUHN R, et al. Guide to attribute based access control (ABAC) definition and considerations [R/OL]. (2019-02-15). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=914795.
[6]   JIN Z, CUI Y, YAN Z. Survey of intrusion detection methods based on data mining algorithms [C]// Proceedings of the 2019 International Conference on Big Data Engineering. New York: ACM, 2019: 98-106.
[7]   BAUER L, GARRISS S, REITER M K Detecting and resolving policy misconfigurations in access-control systems[J]. ACM Transactions on Information and System Security, 2011, 14 (1): 2
[8]   BAUER L, LIANG Y, REITER M K, et al. Discovering access-control misconfigurations: new approaches and evaluation methodologies [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio: ACM, 2012: 95-104.
[9]   NAROUEI M, KHANPOUR H, TAKABI H, et al. Towards a top-down policy engineering framework for attribute-based access control [C]// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2017: 103-114.
[10]   XU Z, STOLLER S D Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 12 (5): 533- 545
[11]   TALUKDAR T, BATRA G, VAIDYA J, et al. Efficient bottom-up mining of attribute based access control policies [C]// 2017 IEEE 3rd International Conference on Collaboration and Internet Computing. San Jose: IEEE, 2017: 339-348.
[12]   KARIMI L, JOSHI J. An unsupervised learning based approach for mining attribute based access control policies [C]// 2018 IEEE International Conference on Big Data. Seattle: IEEE, 2018: 1427-1436.
[13]   XU Z, STOLLER S D. Mining attribute-based access control policies from logs [C]// IFIP Annual Conference on Data and Applications Security and Privacy. Heidelberg: Springer, 2014: 276-291.
[14]   MOCANU D, TURKMEN F, LIOTTA A. Towards ABAC policy mining from logs with deep learning [C]// Proceedings of the 18th International Multiconference. Ljubljana: Intelligent Systems, 2015.
[15]   COTRINI C, WEGHORN T, BASIN D. Mining ABAC rules from sparse logs [C]// 2018 IEEE European Symposium on Security and Privacy. London: IEEE, 2018: 31-46.
[16]   IYER P, MASOUMZADEH A. Mining positive and negative attribute-based access control policy rules [C]// Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2018: 161-172.
[17]   DAS S, SURAL S, VAIDYA J, et al. Using gini impurity to mine attribute-based access control policies with environment attributes [C]// Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2018: 213-215.
[18]   AGRAWAL R, SRIKANT R. Fast algorithms for mining association rules [C]// Proceedings of the 20th International Conference on Very Large Data Bases. San Francisco: ACM, 1994, 1215: 487-499.
[19]   AGRAWAL R, IMIELINSKI T, SWAMI A. Mining association rules between sets of items in large databases [C]// Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data. Washington: ACM, 1993: 207-216.
[1] TIAN Jing-Gong, BO Xiao-Hong, WANG Zheng-Xiao. Data analysis in real-time supply chain based on frequent pattern mining[J]. Journal of ZheJiang University (Engineering Science), 2009, 43(12): 2259-2263.